It is my understanding that this work addresses a very different use case than we have been discussing within PGI. Its a deployment that is encapsulated within the service infrastructure (generally within a single site) to support authorization decisions. Not the user/role driven authentication tokens that we have been discussing within PGI - our primary use case. Steven Dr Steven Newhouse EGEE Technical Director http://cern.ch/Steven.Newhouse
-----Original Message----- From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of Etienne URBAH Sent: 03 April 2009 15:38 To: pgi-wg@ogf.org Cc: edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr Subject: [Pgi-wg] OGF PGI - Security - Interoperability in progress between EGEE and OSG (using COPS)
To All,
My previous today's mail shows that the security work of PGI is now stuck into irreconcilable incompatibility between : - RFC-3820-compliant X509 certificates and proxies on one part, - GSI-style X509 proxies (which can be delegated) on the other part.
But there is some hope : At the last MWSG meeting in Zürich, David GROEP has performed a presentation 'AuthZ Interop report' available at http://indico.cern.ch/materialDisplay.py?contribId=22&sessionId=3&mater ialId=slides&confId=52862
This presentation describes current work in good progress begun in 2007 on security interoperability between OSG and EGEE, with the help of Globus and Condor teams.
This work uses the Common Open Policy Service (COPS) model defined in RFC 2748 at http://tools.ietf.org/html/rfc2748
COPS defines at least following 2 concepts : - PDP = Policy Decision Point - PEP = Policy Enforcement Point
Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2.
There are production deployments in OSG and EGEE.
So I suggest that, before reinventing the wheel, we study in detail the above mentioned document, in order to quickly know : - The problems which they are encountering, - The solutions which they are founding, - The interoperable components which they are deploying and which we could reuse, - ...
Best regards.
---------------------------------- Etienne URBAH IN2P3 - LAL Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Mob: +33 6 22 30 53 27 Skype: etienne.urbah mailto:urbah@lal.in2p3.fr ----------------------------------